If you took an Uber to meet your Bumble date and later split the tab on Cash App, you just used at least three Application Programming Interfaces or APIs. In addition to sharing data with your date, you probably shared some of your data with Uber, Bumble, and Block, the parent company of Cash App. Uber may share data with other third parties such as business partners or websites that integrate with Uber APIs. Cash App may share data with other third party companies to deliver Cash App services. Bumble may share data about users’ age, gender, and location to marketing service providers, like Meta.
APIs are a software intermediary that allows two applications to communicate with each other. APIs are used between strategic business partners to integrate platforms or services. Because APIs facilitate the exchange of data, APIs pose privacy risks. Two recent class action lawsuits reveal the dangers of obtaining and sharing customer data via APIs with insufficient privacy policies or disclosures.
On July 22, 2022, a Federal Judge in California approved a $58 million settlement in a class action brought against fintech company Plaid. The class alleged that Plaid violated its customers’ privacy rights by “scraping” their transactional bank account information without their knowledge or consent through Plaid’s API.
On October 12, 2022, a federal jury found BNSF Railway liable for collecting biometric data of truck drivers without first giving written notice and consent to collect their fingerprints at gates used to access BNSF Railway facilities. A federal judge entered judgment against BNSF Railway for $228 million. BNSF Railway is now suing Remprex, LLC whom they hired to implement the automatic gate systems that collected the fingerprints.
What can a business do to limit the risks created by collecting and sharing data, perhaps on behalf of a larger customer like a Plaid or BNSF Railway? First, the business should understand what kind of data it is controlling, collecting, or processing and how that data flows. Then the business should confirm what laws apply to the data involved in their business. If the business uses or collects personally identifiable information, or protected health data it will have to abide by state, federal, and perhaps international data protection and privacy laws. Second, the business should have clear disclosures about how it uses the data and offer an opt in or opt out notice. Third, the business should carefully review their agreements with vendors or API providers including a Data Privacy Agreement, Data Protection details, Data Security and Indemnification and Dispute Resolution.
At Dunnington, Bartholow & Miller LLP we are ready to assist our clients with sound and reliable legal advice on recommendations for negotiation of data privacy agreements. Our attorneys have experience with the most appropriate provisions to protect a business from both domestic and international liability.